unencrypted_comment_regex unexpectedly exposes secrets

[c33s]

having a sops config file with unencrypted_comment_regex like that: .sops.yaml

creation_rules:
  - unencrypted_comment_regex: sops:dec

and a secrets.yaml

# server credentials
credentials:
    # this is the age key for the deployment server # <- should stay unencrypted
    # hostname foo.example.com # <- should be encrypted
    age_key: 
        private: AGE-SECRET-KEY.... # <- should be encrypted
        public: age1.... # <- should be encrypted

where you want to have some readable comments but an encrypted private and public key, someone can easily think it should work like:

# server credentials
credentials:
    #sops:dec
    # this is the age key for the deployment server
    # hostname foo.example.com
    age_key:
        private: AGE-SECRET-KEY....
        public: age1....

the assumption for me was to get:

#ENC[AES256_GCM... type:comment]
credentials:
    # this is the age key for the deployment server
    #ENC[AES256_GCM... type:comment]
    age_key:
        private: ENC[AES256_GCM...]
        public: ENC[AES256_GCM...]

but you end up with

#ENC[AES256_GCM... type:comment]
credentials:
    # this is the age key for the deployment server
    # hostname foo.example.com
    age_key:
        private: AGE-SECRET-KEY....
        public: age1....

so the sops:dec prevents the encryption not only for the next line but for the full following section until the next new comment block or next key/property.

that is quite unhandy/uncool as someone might assume that only the next line stays unencrypted and not the whole next section with all its subkeys. so you have no granular control over what gets encrypted and what does not get encrytped. also as far as i know unencrypted_comment_regex is mutal exclusive with encrypted_comment_regex so i cannot even do this:

# server credentials
credentials:
    #sops:dec
    # this is the age key for the deployment server
    #sops:enc
    # hostname foo.example.com
    age_key:
        private: AGE-SECRET-KEY....
        public: age1....

or

# server credentials
credentials:
    #sops:dec
    # this is the age key for the deployment server
    #sops:dec:end
    # hostname foo.example.com
    age_key:
        private: AGE-SECRET-KEY....
        public: age1....

is there no way to only keep the next line or the next comment unencrypted but keep the rest encrypted (without specifying each key i want to encrypt/keep unencrypted with its own regex/rule?

i had to remove the #sops:dec comment and stay with encrypted comments to stay save (you easily overlook such behavior if you secrets file is a little longer).

i miss three things:

• easy keep next / same line unencrypted
• property/setting in the config to keep all comments unencrypted
• allow to use both settings together (unencrypted_comment_regex and encrypted_comment_regex)

[felixfontein]

is there no way to only keep the next line or the next comment unencrypted but keep the rest encrypted (without specifying each key i want to encrypt/keep unencrypted with its own regex/rule?

There is no way to do that.